With over 300,000 computers affected in over 150 countries and the crippling of the United Kingdom’s National Health Service on Friday, the finger pointing for the WannaCry (aka WCry or WannaCryptor) malware is in full force. This latest, and by some measures most impactful, propagation of ransomware illustrates the convergence of many trends.
First, in 2016 alone, ransomware became a billion dollar industry, and will only grow as long as the risk-reward calculus remains extremely slanted in favor of attackers. Second, the online proliferation of nation-state capabilities, such as from the Shadow Brokers and Wikileaks' Vault 7, has dramatically lowered the bar for resources required to carry out sophisticated attacks. Finally, given these available resources and the profitable business model, attackers are targeting specific industries and corporations, including the healthcare industry which has been especially hard hit by ransomware over the last few years.
For those of us in the industry, WannaCry unfortunately brought to fruition the confluence of these trends, each of which alone are enough for concern and together are having the widespread impact that continues today. That said, despite its widespread impact, WannaCrypt is unlikely to instigate that paradigm shift so badly needed when it comes to defending against cyber attacks.
There are (at least) two different reasons for this. First, patching remains reactive instead of preventative. This is often due to concerns over business disruption, limited resources, or simply due to the difficulty of simultaneously patching so many disparate systems within large enterprises.
Second, while last week’s executive order highlighted some useful priorities, it perpetuates the push for more analyses and working groups, which won’t do enough to truly address the policy modernizations needed to create the deterrence needed to tackle these attacks. At the Senate Armed Service Committee Hearing last week, Sen. John McCainJohn Sidney McCainThe Biden-Harris train wreck may have its savior: 2024 GOP nominee Donald Trump Kelly raises million in third quarter Legislative limbo — how low can they go? MORE summed it up well in his introductory remarks. “We have expressed our concern at the lack of a strategy and policy for addressing our cyber threats … But cyber is an issue that requires an integrated, whole-of-government approach. We simply do not have that now.”
Given its limited impact on the US so far, WannaCrypt will likely not prompt any domestic policy change.
Creating such a policy is hard. It’s been over 20 years since Moonlight Maze, and there’s been very little progress toward a deterrent strategy against cyber attacks. Similarly, from the talent pipeline shortages and the growing sophistication of targeted attacks to incentives that don’t expedite or prioritize patching, the private sector is struggling to keep apace the modern threat environment.
This leaves us with finger pointing. Microsoft blames the government for stockpiling offensive cyber capabilities, while others blame the victim organizations for failing to maintain proper ‘cyber hygiene’. Microsoft has also garnered plenty of blame for failing to support older software and for producing products with such vulnerabilities. Ironically, it seems that of all the major players involved, the Shadow Brokers has received the least amount of attention, despite the fact that they have been linked to Russia and that this latest attack occurred the day following Trump’s executive order. Interestingly, despite the breadth of this attack, it may not prove terribly lucrative.
Many may say WannaCry will be the wake-up call to help move both defensive postures and policy beyond incremental change. That probably will not be the case. There have been so many ‘wake-up calls’ over the last few years - consider Sony, the Democratic National Committee, SWIFT - and yet very little has changed within the policy community. Even the growing use of wiper malware causing physical destruction across the globe has yet to truly garner a bleep on the radar across both the public and private sectors. For now, we are likely to see more of the blame game than the significant policy modernization that is desperately needed to help progress toward fostering a deterrent effect against cyber attacks. Until that happens, the damage will only continue.
Dr. Andrea Little Limbago is the chief social scientist at Endgame, a cybersecurity firm based in Arlington, Virginia.
The views expressed by contributors are their own and are not the views of The Hill.